The end is near! Only little time until the end of life! At least for PHP 5.6 and PHP 7.0. Why update? Why is there so much old PHP out there? How to establish an up-to-date mindset.
Why upgrade to PHP 7.2 anyway?
It's about time. "PHP 5.6" is the last 5 version around and there will be no security patches from December 2018 on. Any new vulnerabilities will not get fixed any more. The same applies to the initial PHP 7 release, version 7.0. It was released in December 2015. The current version is PHP 7.2 and PHP 7.3 is approaching next.
See the officially supported PHP versions and there lifespans here.
How much old PHP is still around?
As of September 2018: PHP 5 is still the most used version of PHP. According on who you are asking, you will get different answers:
- ~80% old PHP according to W3Techs (PHP 7 also includes the deprecated PHP 7.0)
- ~66% old PHP according to WordPress
- ~21% old PHP according to Composer
Why the differences? Well, I believe W3Tech is just crawling the web sniffing the X-Powered-By header to get the version in use today. That includes all the public IPs with all the neglected websites out there. As this gives potential hackers information about the PHP version, it's common practice to suppress or fake this header, so maybe take this number with an extra grain of salt. WordPress is luckily a little ahead, as it is an active community of "web designers", with a big stake in the United States. And of course, Jordi with Composer is ahead, as those PHPeople are mostly "web developers" who care more about such things.
Who is to blame for all the old PHP?
We started fortrabbit, around 5 years ago, because we were thrilled by the new PHProfessionality. Composer, Laravel — for us PHP really made the switch to a modern programming language. Still PHP has a bad rep for being the Pretty Home Pages language — and that is also still true. PHP was and still is (beside JavaScript) the first web native language to pick to create home pages. And many of those websites are still around. It's all those tiny businesses and their semi professional web designers. When you receive $200 to build a website for a restaurant, you are not likely to maintain it for the next 10 years.
And it's the mass of shady shared hosting providers who are keeping the clients locked-in in long term contracts and outdated versions. I can imagine that half of those PHP 5.6 websites could actually be switched off by now. But that's not the interest of the hosting providers, they are more interested in keeping them around.
Our conflict of interests
It's tricky. Even with us — fancy PHP cloud hosting (fortrabbit) — around a quarter of Apps are still running on PHP 7.0 and PHP 5.6. Luckily it's more PHP 7.0 and less PHP 5.6 which will make the transition less painful. Still it's a few hundred Apps and that's some good revenue for us. Most of those Apps are old of course, they have a life time of at least 14 months and sometimes even much or more. So those Apps are already older than the average App here — more likely to churn soon. We expect to find lot's of neglected projects their owners forgot about in there. Now, when we will start to inform the owners about upcoming changes, chances are that many of those projects will just be killed. Either the projects are not needed, or there will be no budget for migration efforts. PHPeople will be like:
"Oh, that shit is still around? I need to take care of this now? Oh, and I haven't integrated those GDPR changes. I can cancel this right away. Cool! Let's do this instead."
We will loose a good number of Apps. As a business that's of course not in our interest.
Or shall we keep all the old PHP?
We have discussed ways to deal with the situation. One idea was to keep those Apps still around, on unsecured PHP versions. Our fellow colleagues over at Platform.sh are following such an approach: Asking to upgrade but still keeping Apps on old PHP versions around - see their blog post. The argument here is, that we should support the clients preferences as much as we can. This is technically possible here as well. We could accept the risk of someone leveraging not fixed vulnerabilities to break in, only causing some local damage. But NO, we won't do that! Still this could cause our IP ranges or App URLs to be down-ranked or included into SPAM blacklists. We also want our client base to be fresh, agile and alive.
What to do about all the old PHP?
What ever the real number of old PHP installations in the whole internet will be, there soon will be tens of thousands of outdated and unprotected PHP servers out there waiting for hackers to take them over. Maybe we should all gather together and raise awareness for the situation so that more PHPeople wake up and update? What about a hashtag like #uPHPgraded?
Or maybe, even better, that's a call to establish new business models? Imagine, what would you do with that army of zombie servers? Bitcoin mining or even making Obama president again?
Establish an up-to-date mindset!
Keeping your own code and the underlying software dependencies up-to-date is more than just a good practice, it's a requirement. The up-to-date mindset requires some thinking ahead and discipline. Technical debt is the keyword here. Consider upfront that all the code your are having out there, will constantly need some attention and time.
It's easier when you are code maintainer and business owner, like with a start-up or as a freelancer on your own projects. It's more complicated in bigger structures and in client-agency relationships. Make maintenance an topic early on, include it in your estimates. Raise awareness on the importance to keep your software up-to-date. Reserve a time budget for that upfront.
Wrapping up
We are very happy to see the PHP language under heavy development coming closer to shorter release cycles and even breaking some old habits. It's alive. Let's embrace change and move forward.
This was first published in the fortrabbit blog and has been slightly edited for the dev.to community. I think we need to raise awareness in the PHP community on that.
Top comments (5)
The underlying problem is, no one really cares about PHP any more, or the software written in it. I as a sysadmin run a bunch of PHP code, because I have to, and it genuinely sucks that I can't upgrade the PHP running it, because it won't execute (some of the) old PHP code. PHP was the first wave of the throwaway-instead-of-maintain software for the web some 15 years ago, which since became a trend with all these frameworks in NodeJS and Python. People wrote a bunch of code in this managed environment, then moved on, then the running environment broke their compatibility for reason X, and now we're stuck between a rock and a hard place. Almost all this PHP software I still depend on would need active maintenance or complete replacement. I just don't have the energy/resources for that. I'm not interested in that. It's a burden that PHP developers just pushed on my desk, the compatibility breakages they labelled "But hey! These now are our best practices!" and now it's somehow my problem. I hate this.
If I ever going to touch most of my custom written PHP code (which becomes more and more unavoidable) I'm not upgrading it to a newer version of PHP, but I'm going to replace it completely. Because not the code I written in PHP, but PHP itself already became my problem. So I'm not keeping this problem around for the future, sorry.
(Note: this post may sound a bit harsher than it should be, but the intention was to show one aspect why the new PHP adoption is so slow across all the web. Because most of that code is unmaintained, and the running environment only gets updated, when Ubuntu for example bundles a new PHP, and they update the server running that code. Otherwise, no one is really interested, or around any more to do so. Most of this code is not maintained by the "PHP Community" whatever that might be, but people who never subscribed to do this kind of job, like me.)
The problem is larger, i am a new software engineer, but i can observe that almost everyone prefer to code in easier language. I always hear people say "This language is stable, have good performance, easy to code...)" for languages like NodeJS or frameworks like Angular, but they have right only for the last argument, because languages like PHP or C++ in the software world (in opposition of JAVA) are harder to learn and you have to think about your future application, his maintenance and optimization before starting to code anything. But if you master in theses "hard" languages, you will have the same, or even better performance (than mastering in easy frameworks) and better maintainability.
The real problem is that people think too much about the code, and forget the most important : the software engineering.
Maybe we have a tunnel vision? We run a PHP hosting platform and we see indeed much new and interesting stuff. Laravel, Craft CMS and the new PHP versions.
I think anyone who primarily moves in a domain misses things from a big perspective. It happens to me in my domains too. I didn't claim there weren't new things happening in PHP, it's just i still remember from 10 years ago, when PHP was THE web backend language, which landscape is much more colorful now, with a lot of PHP code left in legacy status. This is what I see anyway.
It's also the inherent conflict of makers, who love to move fast and break things (and this attitude enabled a lot of things, and had many benefits, don't get me wrong) and the maintainers, who are left with the broken things to care for, and from that view nothing is scarier/more worrying than a new version "with many exciting new changes". :) So I just wanted to add these two cents.
There is nothing wrong about PHP. It's is a great coding language to start with and create awesome apps.
The real problem is more about how app developers are moving on too fast and are trying to implement new features even no one needs them. We can see this problem currently at WordPress. They try to push features into the core to be able to compete with the competition, the problem here is: the most users just want WordPress to be useable and reliable – they don't care about new fancy features which bring more breaks than advantages to the average user.